Without closing windows defender, to make defender (and probably other AV/EDRs) useless by removing its token privileges and lowering the token integrity.

The process of technology:

  • Enable the SeDubgPrivilege in our process security token.
  • Get a handle to Defender using PROCESS_QUERY_LIMITED_INFORMATION.
  • Get a handle to the Defender token using TOKEN_ALL_ACCESS.
  • Disable all privileges in the token using SetPrivilege
  • Set the Defender token Integrity level to Untrusted.

Demo code of Golang, here is the C++ version


Please refer to the principle explanation.


View Github